Opinion: It's time to fix AV warning messages

by Richi Jennings, Contributor

Warning messages from antivirus filters are becoming nearly as burdensome as unsolicited and malicious e-mails. What can be done? Ferris Research analyst Richi Jennings says the answer is to pressure vendors and apply existing standards.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

you a virus? I'm betting you have. If not ... well, consider yourself lucky.

These AV warning messages have become nearly as frequent and as burdensome as run-of-the-mill spam. They're certainly not doing the job they were intended to do. In fact, it's reached a point where AV vendors must do something about it.

Now that we've stopped using the "sneakernet" method of walking floppy disks around the office, the No. 1 way for viruses to spread is our old friend, e-mail. These days, an indecent chunk of unwanted e-mail traffic is viruses, worms, and other malware trying to propagate themselves.

Here's the problem: these days, most virus-infected e-mail isn't sent by unknowing individuals. It's sent by other viruses. It's effectively spam, except the motivation is to take over your computer. ,

Many AV products or services will warn customers if a virus is detected in an incoming message. Some sort of "virus alert" notification lands in an end-user's inbox. It'll either include the original message with the attachment stripped out, or consist of a simple notification that "so-and-so sent you a virus, and click here to read the message in the quarantine." The intention is that you can notify the sender that there's a virus on their PC.

Here's the problem: these days, most virus-infected e-mail isn't sent by unknowing individuals. It's sent by other viruses. It's effectively spam, except the motivation is to take over your computer, not to sell you herbal enhancements, fake watches, or the latest small cap. In fact, the viruses will often use the same lists of recipients as spammers do. And there's no point in contacting the "sender" of the message -- it's probably forged.

Yes, these virus-alert messages are now just as bad as spam. People quickly learn that these warning messages are just a waste of space, often tuning them out. Savvier mail recipients will set up rules to delete them. Unfortunately, the AV filter will occasionally tell you about a virus in a legitimate message -- one that you actually wanted to know about. Shame you're now ignoring those warnings, isn't it?

Not only that, but it could be your e-mail address being used to forge the message sender. If that happens, you'll probably start getting non-delivery replies from people you've never heard of, telling you that you've sent a virus or that their mailbox no longer exists. Still, only a tiny proportion of these messages are of any use. Let's not mention any names, but some AV solutions should be more selective in which messages they warn about.

The interpretation of these messages could and should be handled by e-mail authentication technologies. Technologies like Sender Policy Framework (SPF), its proprietary Microsoft buddy Sender ID, and DomainKeys Identified Mail (DKIM), created by Yahoo and Cisco Systems Inc. If the supposed sender of the infected message used one of these technologies, the AV filter would have a better idea of whether the e-mail address were forged or not.

Similarly, AV filters could get smarter about looking at the reputation of the message's source. I don't just mean whether the sending IP address is on a blacklist (or "blocklist" if you insist), but also the fuzzier criteria. For instance, does the sending IP belong to a block of consumer DSL connections? You wouldn't expect legitimate e-mail to be sent directly from one of those; it would normally go via a mail server.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy